RE: protecting DHCP servers

From: Brian (focus-linux@tracking.zerobelow.org)
Date: 05/20/02


Date: Mon, 20 May 2002 12:58:44 -0700 (PDT)
From: Brian <focus-linux@tracking.zerobelow.org>
To: akopps@CSUA.Berkeley.EDU


> > I am wondering what is the correct way to restrict connections to the
> > dhcp server to come only from trusted subnets assuming that I don't
> > have administrative access to the routers and the server connects
> > directly to all trusted subnets. I am trying to use these rules:

I generally create a 'sanity' chain on my input ruleset that gets run
first. It would look something like this:

UNTRUST_IF=eth0
BAD="-j DROP"
#BAD="-j REJECT"

iptables -N sanity

iptables -I INPUT -i ${UNTRUST_IF} -j sanity
iptables -I FORWARD -i ${UNTRUST_IF} -j sanity

iptables -A sanity -s 0.0.0.0/32 ${BAD}
iptables -A sanity -s 10.0.0.0/8 ${BAD}
iptables -A sanity -s 172.16.0.0/12 ${BAD}
iptables -A sanity -s 192.168.0.0/16 ${BAD}
iptables -A sanity -s 224.0.0.0/8 ${BAD}
...
iptables -A sanity -j RETURN
...

(This is obviously not a whole ruleset, and I know the 224 with /8 mask is
wrong, I dont recall off the top of my head what the real range is for
that). Using a ruleset such as this would help prevent some of those
spoofing attacks.

A few notes on how you might elaborate on this: fix the 224 netmask, add
some limits to prevent ping/syn/whatever floods (do something like
'iptables -p icmp -m limit -j ACCEPT;iptables -p icmp -j DROP').

Hopefully that will give you a few ideas...

--brian



Relevant Pages

  • Re: two pf questions
    ... Below is my pf.conf ruleset. ... For the dhcp server for my isp being on ... pass out on $ext_if proto tcp all modulate state flags S/SA ...
    (comp.unix.bsd.openbsd.misc)
  • Re: protecting DHCP servers
    ... > I am wondering what is the correct way to restrict connections to the ... > dhcp server to come only from trusted subnets assuming that I don't ... > of the trusted subnets to which dhcp server connects directly to spoof ... from entering on interface eth0. ...
    (Focus-Linux)
  • protecting DHCP servers
    ... dhcp server to come only from trusted subnets assuming that I don't ... have administrative access to the routers and the server connects ...
    (Focus-Linux)
  • Re: protecting DHCP servers
    ... is it possible for an attacker who comes from ... > outside of the trusted subnets to which dhcp server connects ... Block it at your border router, ...
    (Focus-Linux)